suricata
detect-dns-query.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup dnslayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  */
30 
31 #include "suricata-common.h"
32 #include "threads.h"
33 #include "debug.h"
34 #include "decode.h"
35 #include "detect.h"
36 
37 #include "detect-parse.h"
38 #include "detect-engine.h"
39 #include "detect-engine-mpm.h"
40 #include "detect-engine-prefilter.h"
41 #include "detect-engine-content-inspection.h"
42 #include "detect-content.h"
43 #include "detect-pcre.h"
44 
45 #include "flow.h"
46 #include "flow-util.h"
47 #include "flow-var.h"
48 
49 #include "util-debug.h"
50 #include "util-unittest.h"
51 #include "util-spm.h"
52 #include "util-print.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "app-layer.h"
57 #include "app-layer-parser.h"
58 #include "detect-dns-query.h"
59 
60 #include "util-unittest-helper.h"
61 #include "rust.h"
62 
63 static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void DetectDnsQueryRegisterTests(void);
66 #endif
67 static int g_dns_query_buffer_id = 0;
68 
69 struct DnsQueryGetDataArgs {
70  uint32_t local_id; /**< used as index into thread inspect array */
71  void *txv;
72 };
73 
74 static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
75  const DetectEngineTransforms *transforms,
76  Flow *f, struct DnsQueryGetDataArgs *cbdata, int list_id, bool first)
77 {
78  SCEnter();
79 
80  InspectionBuffer *buffer =
81  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
82  if (buffer == NULL)
83  return NULL;
84  if (!first && buffer->inspect != NULL)
85  return buffer;
86 
87  const uint8_t *data;
88  uint32_t data_len;
89  if (rs_dns_tx_get_query_name(cbdata->txv, cbdata->local_id, &data, &data_len) == 0) {
90  return NULL;
91  }
92  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
93 
94  SCReturnPtr(buffer, "InspectionBuffer");
95 }
96 
97 static int DetectEngineInspectDnsQuery(
98  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
99  const DetectEngineAppInspectionEngine *engine,
100  const Signature *s,
101  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
102 {
103  uint32_t local_id = 0;
104 
105  const DetectEngineTransforms *transforms = NULL;
106  if (!engine->mpm) {
107  transforms = engine->v2.transforms;
108  }
109 
110  while(1) {
111  struct DnsQueryGetDataArgs cbdata = { local_id, txv, };
112  InspectionBuffer *buffer = DnsQueryGetData(det_ctx,
113  transforms, f, &cbdata, engine->sm_list, false);
114  if (buffer == NULL || buffer->inspect == NULL)
115  break;
116 
117  det_ctx->buffer_offset = 0;
118  det_ctx->discontinue_matching = 0;
119  det_ctx->inspection_recursion_counter = 0;
120 
121  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
122  NULL, f,
123  (uint8_t *)buffer->inspect,
124  buffer->inspect_len,
125  buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
126  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
127  if (match == 1) {
128  return DETECT_ENGINE_INSPECT_SIG_MATCH;
129  }
130  local_id++;
131  }
132  return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
133 }
134 
135 typedef struct PrefilterMpmDnsQuery {
136  int list_id;
137  const MpmCtx *mpm_ctx;
138  const DetectEngineTransforms *transforms;
139 } PrefilterMpmDnsQuery;
140 
141 /** \brief DnsQuery DnsQuery Mpm prefilter callback
142  *
143  * \param det_ctx detection engine thread ctx
144  * \param p packet to inspect
145  * \param f flow to inspect
146  * \param txv tx to inspect
147  * \param pectx inspection context
148  */
149 static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx,
150  const void *pectx,
151  Packet *p, Flow *f, void *txv,
152  const uint64_t idx, const uint8_t flags)
153 {
154  SCEnter();
155 
156  const PrefilterMpmDnsQuery *ctx = (const PrefilterMpmDnsQuery *)pectx;
157  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
158  const int list_id = ctx->list_id;
159 
160  uint32_t local_id = 0;
161  while(1) {
162  // loop until we get a NULL
163 
164  struct DnsQueryGetDataArgs cbdata = { local_id, txv };
165  InspectionBuffer *buffer = DnsQueryGetData(det_ctx, ctx->transforms,
166  f, &cbdata, list_id, true);
167  if (buffer == NULL)
168  break;
169 
170  if (buffer->inspect_len >= mpm_ctx->minlen) {
171  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
172  &det_ctx->mtcu, &det_ctx->pmq,
173  buffer->inspect, buffer->inspect_len);
174  }
175 
176  local_id++;
177  }
178 }
179 
180 static void PrefilterMpmDnsQueryFree(void *ptr)
181 {
182  SCFree(ptr);
183 }
184 
185 static int PrefilterMpmDnsQueryRegister(DetectEngineCtx *de_ctx,
186  SigGroupHead *sgh, MpmCtx *mpm_ctx,
187  const DetectBufferMpmRegistery *mpm_reg, int list_id)
188 {
189  PrefilterMpmDnsQuery *pectx = SCCalloc(1, sizeof(*pectx));
190  if (pectx == NULL)
191  return -1;
192  pectx->list_id = list_id;
193  pectx->mpm_ctx = mpm_ctx;
194  pectx->transforms = &mpm_reg->transforms;
195 
196  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxDnsQuery,
197  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
198  pectx, PrefilterMpmDnsQueryFree, mpm_reg->pname);
199 }
200 
201 #ifdef HAVE_LUA
202 static int DetectEngineInspectDnsRequest(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
203  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
204  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
205 {
206  return DetectEngineInspectGenericList(
207  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
208 }
209 
210 static int DetectEngineInspectDnsResponse(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
211  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
212  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
213 {
214  return DetectEngineInspectGenericList(
215  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
216 }
217 #endif
218 
219 /**
220  * \brief Registration function for keyword: dns_query
221  */
222 void DetectDnsQueryRegister (void)
223 {
224  sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
225  sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query";
226  sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
227  sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
228  sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
229 #ifdef UNITTESTS
230  sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
231 #endif
232  sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
233  sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
234 
235  DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOSERVER, 2,
236  PrefilterMpmDnsQueryRegister, NULL,
237  ALPROTO_DNS, 1);
238 
239  DetectAppLayerInspectEngineRegister2("dns_query",
240  ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
241  DetectEngineInspectDnsQuery, NULL);
242 
243  DetectBufferTypeSetDescriptionByName("dns_query",
244  "dns request query");
245 
246  g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
247 
248 #ifdef HAVE_LUA
249  /* register these generic engines from here for now */
250  DetectAppLayerInspectEngineRegister2(
251  "dns_request", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DetectEngineInspectDnsRequest, NULL);
252  DetectAppLayerInspectEngineRegister2("dns_response", ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
253  DetectEngineInspectDnsResponse, NULL);
254 
255  DetectBufferTypeSetDescriptionByName("dns_request",
256  "dns requests");
257  DetectBufferTypeSetDescriptionByName("dns_response",
258  "dns responses");
259 #endif
260 }
261 
262 
263 /**
264  * \brief setup the dns_query sticky buffer keyword used in the rule
265  *
266  * \param de_ctx Pointer to the Detection Engine Context
267  * \param s Pointer to the Signature to which the current keyword belongs
268  * \param str Should hold an empty string always
269  *
270  * \retval 0 On success
271  * \retval -1 On failure
272  */
273 
274 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
275 {
276  if (DetectBufferSetActiveList(s, g_dns_query_buffer_id) < 0)
277  return -1;
278  if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0)
279  return -1;
280  return 0;
281 }
282 
283 #ifdef UNITTESTS
284 #include "detect-isdataat.h"
285 
286 /** \test simple google.com query matching */
287 static int DetectDnsQueryTest01(void)
288 {
289  /* google.com */
290  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
291  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
293  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
294  0x00, 0x10, 0x00, 0x01, };
295  Flow f;
296  void *dns_state = NULL;
297  Packet *p = NULL;
298  Signature *s = NULL;
299  ThreadVars tv;
300  DetectEngineThreadCtx *det_ctx = NULL;
301  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
302 
303  memset(&tv, 0, sizeof(ThreadVars));
304  memset(&f, 0, sizeof(Flow));
305 
306  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
307  "192.168.1.5", "192.168.1.1",
308  41424, 53);
309 
310  FLOW_INITIALIZE(&f);
311  f.flags |= FLOW_IPV4;
312  f.proto = IPPROTO_UDP;
313  f.protomap = FlowGetProtoMapping(f.proto);
314 
315  p->flow = &f;
316  p->flags |= PKT_HAS_FLOW;
317  p->flowflags |= FLOW_PKT_TOSERVER;
318  f.alproto = ALPROTO_DNS;
319 
320  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
321  FAIL_IF_NULL(de_ctx);
322  de_ctx->mpm_matcher = mpm_default_matcher;
323  de_ctx->flags |= DE_QUIET;
324 
325  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
326  "(msg:\"Test dns_query option\"; "
327  "dns_query; content:\"google\"; nocase; sid:1;)");
328  FAIL_IF_NULL(s);
329 
330  SigGroupBuild(de_ctx);
331  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
332 
333  FLOWLOCK_WRLOCK(&f);
334  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
335  STREAM_TOSERVER, buf, sizeof(buf));
336  if (r != 0) {
337  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
338  FLOWLOCK_UNLOCK(&f);
339  FAIL;
340  }
341  FLOWLOCK_UNLOCK(&f);
342 
343  dns_state = f.alstate;
344  FAIL_IF_NULL(dns_state);
345 
346  /* do detect */
347  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
348 
349  if (!(PacketAlertCheck(p, 1))) {
350  printf("sig 1 didn't alert, but it should have: ");
351  FAIL;
352  }
353 
354  if (alp_tctx != NULL)
355  AppLayerParserThreadCtxFree(alp_tctx);
356  if (det_ctx != NULL)
357  DetectEngineThreadCtxDeinit(&tv, det_ctx);
358  if (de_ctx != NULL)
359  SigGroupCleanup(de_ctx);
360  if (de_ctx != NULL)
361  DetectEngineCtxFree(de_ctx);
362 
363  FLOW_DESTROY(&f);
364  UTHFreePacket(p);
365  PASS;
366 }
367 
368 /** \test multi tx google.(com|net) query matching */
369 static int DetectDnsQueryTest02(void)
370 {
371  /* google.com */
372  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
374  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
375  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
376  0x00, 0x01, 0x00, 0x01, };
377 
378  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
379  0x81, 0x80, /* flags: resp, recursion desired, recursion available */
380  0x00, 0x01, /* 1 query */
381  0x00, 0x01, /* 1 answer */
382  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
383  /* query record */
384  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
385  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
386  0x00, 0x01, 0x00, 0x01, /* type a, class in */
387  /* answer */
388  0xc0, 0x0c, /* ref to name in query above */
389  0x00, 0x01, 0x00, 0x01, /* type a, class in */
390  0x00, 0x01, 0x40, 0xef, /* ttl */
391  0x00, 0x04, /* data len */
392  0x01, 0x02, 0x03, 0x04 }; /* addr */
393 
394  /* google.net */
395  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
396  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
397  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
398  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
399  0x00, 0x10, 0x00, 0x01, };
400  Flow f;
401  void *dns_state = NULL;
402  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
403  Signature *s = NULL;
404  ThreadVars tv;
405  DetectEngineThreadCtx *det_ctx = NULL;
406  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
407 
408  memset(&tv, 0, sizeof(ThreadVars));
409  memset(&f, 0, sizeof(Flow));
410 
411  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
412  "192.168.1.5", "192.168.1.1",
413  41424, 53);
414  p2 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
415  "192.168.1.5", "192.168.1.1",
416  41424, 53);
417  p3 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
418  "192.168.1.5", "192.168.1.1",
419  41424, 53);
420 
421  FLOW_INITIALIZE(&f);
422  f.flags |= FLOW_IPV4;
423  f.proto = IPPROTO_UDP;
424  f.protomap = FlowGetProtoMapping(f.proto);
425  f.alproto = ALPROTO_DNS;
426 
427  p1->flow = &f;
428  p1->flags |= PKT_HAS_FLOW;
429  p1->flowflags |= FLOW_PKT_TOSERVER;
430  p1->pcap_cnt = 1;
431 
432  p2->flow = &f;
433  p2->flags |= PKT_HAS_FLOW;
434  p2->flowflags |= FLOW_PKT_TOCLIENT;
435  p2->pcap_cnt = 2;
436 
437  p3->flow = &f;
438  p3->flags |= PKT_HAS_FLOW;
439  p3->flowflags |= FLOW_PKT_TOSERVER;
440  p3->pcap_cnt = 3;
441 
442  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
443  FAIL_IF_NULL(de_ctx);
444  de_ctx->mpm_matcher = mpm_default_matcher;
445  de_ctx->flags |= DE_QUIET;
446 
447  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
448  "(msg:\"Test dns_query option\"; "
449  "dns_query; content:\"google.com\"; nocase; sid:1;)");
450  FAIL_IF_NULL(s);
451  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
452  "(msg:\"Test dns_query option\"; "
453  "dns_query; content:\"google.net\"; nocase; sid:2;)");
454  FAIL_IF_NULL(s);
455 
456  SigGroupBuild(de_ctx);
457  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
458 
459  FLOWLOCK_WRLOCK(&f);
460  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
461  STREAM_TOSERVER, buf1, sizeof(buf1));
462  if (r != 0) {
463  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
464  FLOWLOCK_UNLOCK(&f);
465  FAIL;
466  }
467  FLOWLOCK_UNLOCK(&f);
468 
469  dns_state = f.alstate;
470  FAIL_IF_NULL(dns_state);
471 
472  /* do detect */
473  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
474 
475  if (!(PacketAlertCheck(p1, 1))) {
476  printf("(p1) sig 1 didn't alert, but it should have: ");
477  FAIL;
478  }
479  if (PacketAlertCheck(p1, 2)) {
480  printf("(p1) sig 2 did alert, but it should not have: ");
481  FAIL;
482  }
483 
484  FLOWLOCK_WRLOCK(&f);
485  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
486  buf2, sizeof(buf2));
487  if (r != 0) {
488  printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
489  FLOWLOCK_UNLOCK(&f);
490  FAIL;
491  }
492  FLOWLOCK_UNLOCK(&f);
493 
494  /* do detect */
495  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
496 
497  if (PacketAlertCheck(p2, 1)) {
498  printf("(p2) sig 1 alerted, but it should not have: ");
499  FAIL;
500  }
501  if (PacketAlertCheck(p2, 2)) {
502  printf("(p2) sig 2 alerted, but it should not have: ");
503  FAIL;
504  }
505 
506  FLOWLOCK_WRLOCK(&f);
507  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
508  buf3, sizeof(buf3));
509  if (r != 0) {
510  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
511  FLOWLOCK_UNLOCK(&f);
512  FAIL;
513  }
514  FLOWLOCK_UNLOCK(&f);
515 
516  /* do detect */
517  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
518 
519  if (PacketAlertCheck(p3, 1)) {
520  printf("(p3) sig 1 alerted, but it should not have: ");
521  FAIL;
522  }
523  if (!(PacketAlertCheck(p3, 2))) {
524  printf("(p3) sig 2 didn't alert, but it should have: ");
525  FAIL;
526  }
527 
528  if (alp_tctx != NULL)
529  AppLayerParserThreadCtxFree(alp_tctx);
530  if (det_ctx != NULL)
531  DetectEngineThreadCtxDeinit(&tv, det_ctx);
532  if (de_ctx != NULL)
533  SigGroupCleanup(de_ctx);
534  if (de_ctx != NULL)
535  DetectEngineCtxFree(de_ctx);
536 
537  FLOW_DESTROY(&f);
538  UTHFreePacket(p1);
539  UTHFreePacket(p2);
540  UTHFreePacket(p3);
541  PASS;
542 }
543 
544 /** \test simple google.com query matching (TCP) */
545 static int DetectDnsQueryTest03(void)
546 {
547  /* google.com */
548  uint8_t buf[] = { 0x00, 28,
549  0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
550  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
551  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
552  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
553  0x00, 0x10, 0x00, 0x01, };
554  Flow f;
555  void *dns_state = NULL;
556  Packet *p = NULL;
557  Signature *s = NULL;
558  ThreadVars tv;
559  DetectEngineThreadCtx *det_ctx = NULL;
560  TcpSession ssn;
561  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
562 
563  memset(&tv, 0, sizeof(ThreadVars));
564  memset(&f, 0, sizeof(Flow));
565  memset(&ssn, 0, sizeof(TcpSession));
566 
567  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
568  "192.168.1.5", "192.168.1.1",
569  41424, 53);
570 
571  FLOW_INITIALIZE(&f);
572  f.protoctx = (void *)&ssn;
573  f.flags |= FLOW_IPV4;
574  f.proto = IPPROTO_TCP;
575  f.protomap = FlowGetProtoMapping(f.proto);
576 
577  p->flow = &f;
578  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
579  p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
580  f.alproto = ALPROTO_DNS;
581 
582  StreamTcpInitConfig(true);
583 
584  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
585  FAIL_IF_NULL(de_ctx);
586  de_ctx->mpm_matcher = mpm_default_matcher;
587  de_ctx->flags |= DE_QUIET;
588 
589  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
590  "(msg:\"Test dns_query option\"; "
591  "dns_query; content:\"google\"; nocase; sid:1;)");
592  FAIL_IF_NULL(s);
593 
594  SigGroupBuild(de_ctx);
595  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
596 
597  FLOWLOCK_WRLOCK(&f);
598  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
599  STREAM_TOSERVER, buf, sizeof(buf));
600  if (r != 0) {
601  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
602  FLOWLOCK_UNLOCK(&f);
603  FAIL;
604  }
605  FLOWLOCK_UNLOCK(&f);
606 
607  dns_state = f.alstate;
608  FAIL_IF_NULL(dns_state);
609 
610  /* do detect */
611  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
612 
613  if (!(PacketAlertCheck(p, 1))) {
614  printf("sig 1 didn't alert, but it should have: ");
615  FAIL;
616  }
617 
618  if (alp_tctx != NULL)
619  AppLayerParserThreadCtxFree(alp_tctx);
620  if (det_ctx != NULL)
621  DetectEngineThreadCtxDeinit(&tv, det_ctx);
622  if (de_ctx != NULL)
623  SigGroupCleanup(de_ctx);
624  if (de_ctx != NULL)
625  DetectEngineCtxFree(de_ctx);
626 
627  StreamTcpFreeConfig(true);
628  FLOW_DESTROY(&f);
629  UTHFreePacket(p);
630  PASS;
631 }
632 
633 
634 /** \test simple google.com query matching, pcre */
635 static int DetectDnsQueryTest04(void)
636 {
637  /* google.com */
638  uint8_t buf[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
641  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
642  0x00, 0x10, 0x00, 0x01, };
643  Flow f;
644  void *dns_state = NULL;
645  Packet *p = NULL;
646  Signature *s = NULL;
647  ThreadVars tv;
648  DetectEngineThreadCtx *det_ctx = NULL;
649  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
650 
651  memset(&tv, 0, sizeof(ThreadVars));
652  memset(&f, 0, sizeof(Flow));
653 
654  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
655  "192.168.1.5", "192.168.1.1",
656  41424, 53);
657 
658  FLOW_INITIALIZE(&f);
659  f.flags |= FLOW_IPV4;
660  f.proto = IPPROTO_UDP;
661  f.protomap = FlowGetProtoMapping(f.proto);
662 
663  p->flow = &f;
664  p->flags |= PKT_HAS_FLOW;
665  p->flowflags |= FLOW_PKT_TOSERVER;
666  f.alproto = ALPROTO_DNS;
667 
668  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
669  FAIL_IF_NULL(de_ctx);
670  de_ctx->mpm_matcher = mpm_default_matcher;
671  de_ctx->flags |= DE_QUIET;
672 
673  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
674  "(msg:\"Test dns_query option\"; "
675  "dns_query; content:\"google\"; nocase; "
676  "pcre:\"/google\\.com$/i\"; sid:1;)");
677  FAIL_IF_NULL(s);
678  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
679  "(msg:\"Test dns_query option\"; "
680  "dns_query; content:\"google\"; nocase; "
681  "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
682  FAIL_IF_NULL(s);
683 
684  SigGroupBuild(de_ctx);
685  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
686 
687  FLOWLOCK_WRLOCK(&f);
688  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
689  STREAM_TOSERVER, buf, sizeof(buf));
690  if (r != 0) {
691  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
692  FLOWLOCK_UNLOCK(&f);
693  FAIL;
694  }
695  FLOWLOCK_UNLOCK(&f);
696 
697  dns_state = f.alstate;
698  FAIL_IF_NULL(dns_state);
699 
700  /* do detect */
701  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
702 
703  if (!(PacketAlertCheck(p, 1))) {
704  printf("sig 1 didn't alert, but it should have: ");
705  FAIL;
706  }
707  if (!(PacketAlertCheck(p, 2))) {
708  printf("sig 2 didn't alert, but it should have: ");
709  FAIL;
710  }
711 
712  if (alp_tctx != NULL)
713  AppLayerParserThreadCtxFree(alp_tctx);
714  if (det_ctx != NULL)
715  DetectEngineThreadCtxDeinit(&tv, det_ctx);
716  if (de_ctx != NULL)
717  SigGroupCleanup(de_ctx);
718  if (de_ctx != NULL)
719  DetectEngineCtxFree(de_ctx);
720 
721  FLOW_DESTROY(&f);
722  UTHFreePacket(p);
723  PASS;
724 }
725 
726 /** \test multi tx google.(com|net) query matching +
727  * app layer event */
728 static int DetectDnsQueryTest05(void)
729 {
730  /* google.com */
731  uint8_t buf1[] = { 0x10, 0x32, 0x01, 0x00, 0x00, 0x01,
732  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
733  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
734  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
735  0x00, 0x01, 0x00, 0x01, };
736 
737  uint8_t buf2[] = { 0x10, 0x32, /* tx id */
738  0x81, 0x80|0x40, /* flags: resp, recursion desired, recursion available */
739  0x00, 0x01, /* 1 query */
740  0x00, 0x01, /* 1 answer */
741  0x00, 0x00, 0x00, 0x00, /* no auth rr, additional rr */
742  /* query record */
743  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, /* name */
744  0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, /* name cont */
745  0x00, 0x01, 0x00, 0x01, /* type a, class in */
746  /* answer */
747  0xc0, 0x0c, /* ref to name in query above */
748  0x00, 0x01, 0x00, 0x01, /* type a, class in */
749  0x00, 0x01, 0x40, 0xef, /* ttl */
750  0x00, 0x04, /* data len */
751  0x01, 0x02, 0x03, 0x04 }; /* addr */
752 
753  /* google.net */
754  uint8_t buf3[] = { 0x11, 0x33, 0x01, 0x00, 0x00, 0x01,
755  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
756  0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
757  0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
758  0x00, 0x10, 0x00, 0x01, };
759  Flow f;
760  void *dns_state = NULL;
761  Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
762  Signature *s = NULL;
763  ThreadVars tv;
764  DetectEngineThreadCtx *det_ctx = NULL;
765  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
766 
767  memset(&tv, 0, sizeof(ThreadVars));
768  memset(&f, 0, sizeof(Flow));
769 
770  p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_UDP,
771  "192.168.1.5", "192.168.1.1",
772  41424, 53);
773  p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_UDP,
774  "192.168.1.5", "192.168.1.1",
775  41424, 53);
776  p3 = UTHBuildPacketReal(buf3, sizeof(buf3), IPPROTO_UDP,
777  "192.168.1.5", "192.168.1.1",
778  41424, 53);
779 
780  FLOW_INITIALIZE(&f);
781  f.flags |= FLOW_IPV4;
782  f.proto = IPPROTO_UDP;
783  f.protomap = FlowGetProtoMapping(f.proto);
784  f.alproto = ALPROTO_DNS;
785 
786  p1->flow = &f;
787  p1->flags |= PKT_HAS_FLOW;
788  p1->flowflags |= FLOW_PKT_TOSERVER;
789  p1->pcap_cnt = 1;
790 
791  p2->flow = &f;
792  p2->flags |= PKT_HAS_FLOW;
793  p2->flowflags |= FLOW_PKT_TOCLIENT;
794  p2->pcap_cnt = 2;
795 
796  p3->flow = &f;
797  p3->flags |= PKT_HAS_FLOW;
798  p3->flowflags |= FLOW_PKT_TOSERVER;
799  p3->pcap_cnt = 3;
800 
801  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
802  FAIL_IF_NULL(de_ctx);
803  de_ctx->mpm_matcher = mpm_default_matcher;
804  de_ctx->flags |= DE_QUIET;
805 
806  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
807  "(msg:\"Test dns_query option\"; "
808  "dns_query; content:\"google.com\"; nocase; sid:1;)");
809  FAIL_IF_NULL(s);
810  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
811  "(msg:\"Test dns_query option\"; "
812  "dns_query; content:\"google.net\"; nocase; sid:2;)");
813  FAIL_IF_NULL(s);
814  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
815  "(msg:\"Test Z flag event\"; "
816  "app-layer-event:dns.z_flag_set; sid:3;)");
817  FAIL_IF_NULL(s);
818 
819  SigGroupBuild(de_ctx);
820  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
821 
822  FLOWLOCK_WRLOCK(&f);
823  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
824  STREAM_TOSERVER, buf1, sizeof(buf1));
825  if (r != 0) {
826  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
827  FLOWLOCK_UNLOCK(&f);
828  FAIL;
829  }
830  FLOWLOCK_UNLOCK(&f);
831 
832  dns_state = f.alstate;
833  FAIL_IF_NULL(dns_state);
834 
835  /* do detect */
836  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
837 
838  if (!(PacketAlertCheck(p1, 1))) {
839  printf("(p1) sig 1 didn't alert, but it should have: ");
840  FAIL;
841  }
842  if (PacketAlertCheck(p1, 2)) {
843  printf("(p1) sig 2 did alert, but it should not have: ");
844  FAIL;
845  }
846 
847  FLOWLOCK_WRLOCK(&f);
848  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
849  buf2, sizeof(buf2));
850  if (r != 0) {
851  printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
852  FLOWLOCK_UNLOCK(&f);
853  FAIL;
854  }
855  FLOWLOCK_UNLOCK(&f);
856 
857  /* do detect */
858  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
859 
860  if (PacketAlertCheck(p2, 1)) {
861  printf("(p2) sig 1 alerted, but it should not have: ");
862  FAIL;
863  }
864  if (PacketAlertCheck(p2, 2)) {
865  printf("(p2) sig 2 alerted, but it should not have: ");
866  FAIL;
867  }
868  if (!(PacketAlertCheck(p2, 3))) {
869  printf("(p2) sig 3 didn't alert, but it should have: ");
870  FAIL;
871  }
872 
873  FLOWLOCK_WRLOCK(&f);
874  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
875  buf3, sizeof(buf3));
876  if (r != 0) {
877  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
878  FLOWLOCK_UNLOCK(&f);
879  FAIL;
880  }
881  FLOWLOCK_UNLOCK(&f);
882 
883  /* do detect */
884  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
885 
886  if (PacketAlertCheck(p3, 1)) {
887  printf("(p3) sig 1 alerted, but it should not have: ");
888  FAIL;
889  }
890  if (!(PacketAlertCheck(p3, 2))) {
891  printf("(p3) sig 2 didn't alert, but it should have: ");
892  FAIL;
893  }
894  /** \todo should not alert, bug #839
895  if (PacketAlertCheck(p3, 3)) {
896  printf("(p3) sig 3 did alert, but it should not have: ");
897  goto end;
898  }
899  */
900 
901  if (alp_tctx != NULL)
902  AppLayerParserThreadCtxFree(alp_tctx);
903  if (det_ctx != NULL)
904  DetectEngineThreadCtxDeinit(&tv, det_ctx);
905  if (de_ctx != NULL)
906  SigGroupCleanup(de_ctx);
907  if (de_ctx != NULL)
908  DetectEngineCtxFree(de_ctx);
909 
910  FLOW_DESTROY(&f);
911  UTHFreePacket(p1);
912  UTHFreePacket(p2);
913  UTHFreePacket(p3);
914  PASS;
915 }
916 
917 static int DetectDnsQueryIsdataatParseTest(void)
918 {
919  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
920  FAIL_IF_NULL(de_ctx);
921  de_ctx->flags |= DE_QUIET;
922 
923  Signature *s = DetectEngineAppendSig(de_ctx,
924  "alert dns any any -> any any ("
925  "dns_query; content:\"one\"; "
926  "isdataat:!4,relative; sid:1;)");
927  FAIL_IF_NULL(s);
928 
929  SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id];
930  FAIL_IF_NULL(sm);
931  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
932 
933  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
934  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
935  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
936  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
937 
938  DetectEngineCtxFree(de_ctx);
939  PASS;
940 }
941 
942 static void DetectDnsQueryRegisterTests(void)
943 {
944  UtRegisterTest("DetectDnsQueryTest01", DetectDnsQueryTest01);
945  UtRegisterTest("DetectDnsQueryTest02", DetectDnsQueryTest02);
946  UtRegisterTest("DetectDnsQueryTest03 -- tcp", DetectDnsQueryTest03);
947  UtRegisterTest("DetectDnsQueryTest04 -- pcre", DetectDnsQueryTest04);
948  UtRegisterTest("DetectDnsQueryTest05 -- app layer event",
949  DetectDnsQueryTest05);
950 
951  UtRegisterTest("DetectDnsQueryIsdataatParseTest",
952  DetectDnsQueryIsdataatParseTest);
953 }
954 #endif
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:402
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1088
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1477
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1941
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1425
DetectEngineTransforms
Definition: detect.h:379
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DnsQueryGetDataArgs::local_id
uint32_t local_id
Definition: detect-dns-query.c:70
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:588
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:375
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:648
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
InspectionBuffer
Definition: detect.h:345
Packet_::flags
uint32_t flags
Definition: decode.h:462
DnsQueryGetDataArgs::txv
void * txv
Definition: detect-dns-query.c:71
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1167
Flow_::protomap
uint8_t protomap
Definition: flow.h:455
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:634
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:861
detect-pcre.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1165
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
detect-dns-query.h
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:404
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:544
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:347
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:427
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:225
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1127
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:636
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1268
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1144
util-spm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1427
PrefilterMpmDnsQuery::transforms
const DetectEngineTransforms * transforms
Definition: detect-dns-query.c:138
DetectDnsQueryRegister
void DetectDnsQueryRegister(void)
Registration function for keyword: dns_query.
Definition: detect-dns-query.c:222
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:348
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:346
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:486
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:412
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
PrefilterMpmDnsQuery::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-dns-query.c:137
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_AL_DNS_QUERY
@ DETECT_AL_DNS_QUERY
Definition: detect-engine-register.h:216
DnsQueryGetDataArgs
Definition: detect-dns-query.c:69
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1380
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1453
PrefilterMpmDnsQuery
Definition: detect-dns-query.c:135
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1291
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1174
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmDnsQuery::list_id
int list_id
Definition: detect-dns-query.c:136
flow-var.h
PrefilterMpmDnsQuery
struct PrefilterMpmDnsQuery PrefilterMpmDnsQuery
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
debug.h
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
app-layer.h